Sigma Detection Rules
- {"description": "7-Zip through 21.07 on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "e2966944-d9b9-b53b-61be-996d11685435", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Suspicious 7zip Subprocess", "query": "((process.executable:*\\\\cmd.exe AND process.parent.executable:*\\\\7zFM.exe) AND (NOT ((process.command_line:*\\ \\/c\\ *) OR (NOT _exists_:process.command_line))))", "meta": {"from": "1m"}, "severity": "high", "tags": [], "to": "now", "type": "query", "threat": [], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint.", "enabled": false, "false_positives": ["This rule is to explore new applications on an endpoint. False positives depends on the organization.", "Newly setup system.", "Legitimate installation of new application."], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "e878ebf6-87da-32ea-35a3-7cdd97f7b498", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "New Application in AppCompat", "query": "(winlog.event_data.EventType:\"Setvalue\" AND winlog.event_data.TargetObject:*\\\\AppCompatFlags\\\\Compatibility\\ Assistant\\\\Store\\\\*)", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1204"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0002", "reference": "", "name": "Execution"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1204", "name": "User Execution", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.", "enabled": false, "false_positives": ["An FP could be caused by legitimate application writing shortcuts for example. This folder should always be inspected to make sure that all the files in there are legitimate"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "8e5f0a87-db26-0565-c8dd-2bb21ae213c2", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Startup Folder File Write", "query": "(file.path.text:*\\\\Microsoft\\\\Windows\\\\Start\\ Menu\\\\Programs\\\\StartUp* AND (NOT (process.executable.text:\"C\\:\\\\Windows\\\\System32\\\\wuauclt.exe\" OR file.path.text:C\\:\\\\$WINDOWS.\\~BT\\\\NewOS\\\\*)))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1547"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.", "enabled": false, "false_positives": ["System administrators managing certififcates."], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "286a8d22-d241-e293-e36b-e17af327cb24", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious PFX File Creation", "query": "(file.path:*.pfx AND (NOT ((file.path:*\\\\Templates\\\\Windows\\\\Windows_TemporaryKey.pfx* AND file.path:*\\\\CMake\\\\*))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Credential Access", "T1552"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "953ab693-f7f9-b1f7-216a-53e977e0df36", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious System.Drawing Load", "query": "(file.path:*\\\\System.Drawing.ni.dll AND (NOT ((process.executable:(C\\:\\\\Program\\ Files\\\\* OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\* OR C\\:\\\\Windows\\\\System32\\\\* OR C\\:\\\\Windows\\\\Microsoft.NET\\\\* OR C\\:\\\\Windows\\\\ImmersiveControlPanel\\\\*)) OR (process.executable:(C\\:\\\\Users\\\\*\\\\AppData\\\\Local\\\\NhNotifSys\\\\nahimic\\\\nahimicNotifSys.exe OR C\\:\\\\Users\\\\*\\\\GitHubDesktop\\\\Update.exe OR \"C\\:\\\\Windows\\\\System32\\\\NhNotifSys.exe\")))))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1113"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0009", "reference": "", "name": "Collection"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1113", "name": "Screen Capture", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "229e3860-1c84-7765-2991-aa7df491d81b", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "High Integrity Sdclt Process", "query": "(process.executable:*sdclt.exe AND IntegrityLevel:\"High\")", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "Privilege Escalation", "T1548"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0004", "reference": "", "name": "Privilege Escalation"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": ""}]}, {"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "6fdff597-19e4-3ab4-94a3-4c0c3ebccea9", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Sdclt Child Processes", "query": "process.parent.executable:*\\\\sdclt.exe", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Privilege Escalation", "T1548"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0004", "reference": "", "name": "Privilege Escalation"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "112fc939-6ff4-11fb-7b1b-2e77d8605f37", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "PowerShell Decompress Commands", "query": "(powershell.command.invocation_details:*Expand\\-Archive* OR winlog.event_data.Payload:*Expand\\-Archive*)", "meta": {"from": "1m"}, "severity": "low", "tags": ["Defense Evasion", "T1140"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1140", "name": "Deobfuscate/Decode Files or Information", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\\windows\\system32\\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server).", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "725962c6-9871-829d-9dd7-8d7da4396b66", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious WebDav Client Execution", "query": "((process.executable:*\\\\rundll32.exe OR winlog.event_data.OriginalFileName:\"RUNDLL32.EXE\") AND process.command_line:*C\\:\\\\windows\\\\system32\\\\davclnt.dll,DavSetCookie*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1048"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0010", "reference": "", "name": "Exfiltration"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "91fe9a49-cebd-b515-1598-7b6b5d7fd09b", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "PowerShell Get Clipboard", "query": "((powershell.command.invocation_details:*Get\\-Clipboard*) OR (winlog.event_data.Payload:*Get\\-Clipboard*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1115"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0009", "reference": "", "name": "Collection"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": ""}]}], "version": 1, "references": ["", ""], "license": "", "timestamp_override": "event.ingested"}
- {"description": "A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["*ecs-*"], "interval": "5m", "rule_id": "2d2dc5d2-9349-7be3-e262-9a237599ea23", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "WebDav Put Request", "query": "(event.dataset:\"http\" AND (user_agent.original:*WebDAV* AND http.request.method.text:\"PUT\") AND (NOT (destination.ip:(\"192.168.0.0\\/16\" OR \"172.16.0.0\\/12\" OR \"10.0.0.0\\/8\"))))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1048"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0010", "reference": "", "name": "Exfiltration"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A General detection to trigger for processes removing .*\\shell\\open\\command registry keys. Registry keys that might have been used for COM hijacking activities.", "enabled": false, "false_positives": ["Legitimate software (un)installations are known to cause some false positives. Please add them as a filter when encountered"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "9d18f18d-13c3-6940-0816-99a536784740", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Removal of Potential COM Hijacking Registry Keys", "query": "((winlog.event_data.EventType:\"DeleteKey\" AND winlog.event_data.TargetObject:*\\\\shell\\\\open\\\\command) AND (NOT ((process.executable.text:\"C\\:\\\\Windows\\\\system32\\\\svchost.exe\") OR (process.executable.text:(C\\:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft\\ Shared\\\\ClickToRun\\\\* OR C\\:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft\\ Shared\\\\ClickToRun\\\\Updates\\\\*) AND process.executable.text:*\\\\OfficeClickToRun.exe) OR (process.executable.text:\"C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Microsoft\\ Office\\\\root\\\\integration\\\\integrator.exe\") OR (process.executable.text:*\\\\Dropbox.exe AND winlog.event_data.TargetObject:*\\\\Dropbox.*) OR (process.executable.text:*\\\\AppData\\\\Local\\\\Temp\\\\Wireshark_uninstaller.exe AND winlog.event_data.TargetObject:*\\\\wireshark\\-capture\\-file\\\\*) OR (process.executable.text:(C\\:\\\\Program\\ Files\\\\Opera\\\\* OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Opera\\\\*) AND process.executable.text:*\\\\installer.exe) OR (process.executable.text:*peazip* AND winlog.event_data.TargetObject:*\\\\PeaZip.*) OR (process.executable.text:*\\\\Everything.exe AND winlog.event_data.TargetObject:*\\\\Everything.*))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1112"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1112", "name": "Modify Registry", "reference": ""}]}], "version": 1, "references": ["", "", "", "", ""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A General detection to trigger for the creation or modification of .*\\Software\\Sysinternals\\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "63dfd541-cb56-ea8f-cbee-e2603990183b", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Sysinternals SDelete Registry Keys", "query": "(winlog.event_data.EventType:\"CreateKey\" AND winlog.event_data.TargetObject:*\\\\Software\\\\Sysinternals\\\\SDelete*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1070"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1070", "name": "Indicator Removal on Host", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files.", "enabled": false, "false_positives": ["Legitime usage of SDelete"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "ebdcab76-5eae-041d-02d3-44b1313b09ed", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Sysinternals SDelete File Deletion", "query": "(file.path.text:(*.AAA OR *.ZZZ) AND (NOT ((file.path.text:*\\\\Wireshark\\\\radius\\\\dictionary.alcatel\\-lucent.aaa))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1070"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1070", "name": "Indicator Removal on Host", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Roberto Rodriguez (Cyb3rWard0g)", "OTR (Open Threat Research)"], "license": ""}
- {"description": "A login from a public IP can indicate a misconfigured firewall or network boundary.", "author": ["NVISO"], "enabled": false, "false_positives": ["Legitimate logon attempts over the internet", "IPv4-to-IPv6 mapped IPs"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "a84ed766-08c8-991d-afd9-4c753ae79bcc", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Failed Logon From Public IP", "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4625\" AND (NOT ((source.ip:*\\-*) OR (source.ip:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.* OR 169.254.*)) OR (((source.ip:\"::1\") OR (source.ip:(fe80\\:\\:* OR fc00\\:\\:*)))))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Initial Access", "T1078", "T1133", "T1190"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0001", "reference": "", "name": "Initial Access"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": ""}, {"id": "T1133", "name": "External Remote Services", "reference": ""}, {"id": "T1190", "name": "Exploit Public-Facing Application", "reference": ""}]}, {"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1078", "name": "Valid Accounts", "reference": ""}, {"id": "T1133", "name": "External Remote Services", "reference": ""}]}], "version": 1, "license": "", "references": [""], "timestamp_override": "event.ingested"}
- {"description": "A office file with macro is created from a commandline or a script", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "5a25ccd9-2ac8-0818-2755-ddd2ffd3bda6", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Dump Office Macro Files from Commandline", "query": "(file.path:(*.docm OR *.dotm OR *.xlsm OR *.xltm OR *.potm OR *.pptm OR *.pptx) AND (process.executable:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\pwsh.exe) OR process.parent.executable:(*\\\\cmd.exe OR *\\\\powershell.exe OR *\\\\pwsh.exe)))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Initial Access", "T1566"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0001", "reference": "", "name": "Initial Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1566", "name": "Phishing", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "A rule has been deleted in the Windows Firewall exception list.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "f2f35b28-9d08-1be2-62f0-03e4106bc327", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Delete Rule in Windows Firewall with Advanced Security", "query": "(winlog.event_id:(\"2006\" OR \"2033\") AND (NOT ((ModifyingApplication:\"C\\:\\\\Windows\\\\System32\\\\svchost.exe\" OR ModifyingApplication:(C\\:\\\\Program\\ Files\\\\* OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\*)) OR (ModifyingApplication:C\\:\\\\ProgramData\\\\Microsoft\\\\Windows\\ Defender\\\\Platform\\\\* AND ModifyingApplication:*\\\\MsMpEng.exe))))", "meta": {"from": "1m"}, "severity": "medium", "tags": [], "to": "now", "type": "query", "threat": [], "version": 1, "references": ["(v=ws.10)"], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "A rule has been modified in the Windows Firewall exception list", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "5d379852-df8c-fda0-6450-9f7748f461ee", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Added Rule in Windows Firewall with Advanced Security", "query": "(winlog.event_id:\"2004\" AND (NOT ((Action:\"2\") OR (ApplicationPath:(C\\:\\\\Program\\ Files\\\\* OR C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\*) OR ModifyingApplication:\"C\\:\\\\Windows\\\\System32\\\\oobe\\\\Setup.exe\" OR ModifyingApplication:C\\:\\\\Windows\\\\WinSxS\\\\* OR ModifyingApplication:(\"C\\:\\\\Windows\\\\SysWOW64\\\\msiexec.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\svchost.exe\" OR \"C\\:\\\\Windows\\\\System32\\\\dllhost.exe\" OR \"C\\:\\\\Program\\ Files\\\\Windows\\ Defender\\\\MsMpEng.exe\")) OR (ModifyingApplication:C\\:\\\\ProgramData\\\\Microsoft\\\\Windows\\ Defender\\\\Platform\\\\* AND ModifyingApplication:*\\\\MsMpEng.exe))))", "meta": {"from": "1m"}, "severity": "medium", "tags": [], "to": "now", "type": "query", "threat": [], "version": 1, "references": ["(v=ws.10)"], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "A rule has been modified in the Windows Firewall exception list", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "8dc80d6b-656f-8dbf-3d64-96571c426b39", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Modified Rule in Windows Firewall with Advanced Security", "query": "(winlog.event_id:\"2005\" AND (NOT ((ModifyingApplication:(C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\* OR C\\:\\\\Program\\ Files\\\\*)))))", "meta": {"from": "1m"}, "severity": "low", "tags": [], "to": "now", "type": "query", "threat": [], "version": 1, "references": ["(v=ws.10)"], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "d77e1d8a-ad72-c00b-c2e0-a9288e04e164", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Unidentified Attacker November 2018", "query": "file.path:*ds7002.lnk*", "meta": {"from": "1m"}, "severity": "high", "tags": ["T1218"], "to": "now", "type": "query", "threat": [], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["@41thexplorer", "Microsoft Defender ATP"], "license": ""}
- {"description": "A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "d77e1d8a-ad72-c00b-c2e0-a9288e04e164", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Unidentified Attacker November 2018", "query": "(process.command_line:*cyzfc.dat,* AND process.command_line:*PointFunctionCall)", "meta": {"from": "1m"}, "severity": "high", "tags": ["T1218"], "to": "now", "type": "query", "threat": [], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["@41thexplorer", "Microsoft Defender ATP"], "license": ""}
- {"description": "A symbolic link is a type of file that contains a reference to another file.\nThis is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt\n", "enabled": false, "false_positives": ["Legitimate use"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "93c2a964-b47b-78a5-d623-3fe04304cb17", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Fsutil Behavior Set SymlinkEvaluation", "query": "(process.executable:*\\\\fsutil.exe AND process.command_line:*behavior\\ * AND process.command_line:*set\\ * AND process.command_line:*SymlinkEvaluation*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1059"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0002", "reference": "", "name": "Execution"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges", "enabled": false, "false_positives": ["System administrator Usage"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "404a8ec5-fece-fab2-bd63-98c27b5d99ea", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Accesschk Usage To Check Privileges", "query": "((Product:*AccessChk OR winlog.event_data.Description:*Reports\\ effective\\ permissions* OR process.executable.text:(*\\\\accesschk.exe OR *\\\\accesschk64.exe) OR winlog.event_data.OriginalFileName:\"accesschk.exe\") AND process.command_line.text:(*uwcqv\\ * OR *kwsu\\ * OR *qwsu\\ * OR *uwdqs\\ *))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1069"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": ""}]}], "version": 1, "references": ["", "", "", ""], "timestamp_override": "event.ingested", "author": ["Teymur Kheirkhabarov (idea)", "Mangatas Tondang (rule)", "oscd.community", "Nasreddine Bencherchali (modified)"], "license": ""}
- {"description": "Addition of domains is seldom and should be verified for legitimacy.", "enabled": false, "false_positives": ["Legitimate extension of domain structure"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "a4ba7d34-5c63-cc18-9629-add19e717980", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Addition of Domain Trusts", "query": "(winlog.channel:\"Security\" AND winlog.event_id:\"4706\")", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1098"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["Thomas Patzke"], "license": ""}
- {"description": "AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "enabled": false, "false_positives": ["Admin activity"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "1fb8a604-bb6a-dc8e-8028-e7a434122dce", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "AdFind Usage Detection", "query": "process.command_line:(*domainlist* OR *trustdmp* OR *dcmodes* OR *adinfo* OR *\\ dclist\\ * OR *computer_pwdnotreqd* OR *objectcategory\\=* OR *\\-subnets\\ \\-f* OR *name\\=\\\"Domain\\ Admins\\\"* OR *\\-sc\\ u\\:* OR *domainncs* OR *dompol* OR *\\ oudmp\\ * OR *subnetdmp* OR *gpodmp* OR *fspdmp* OR *users_noexpire* OR *computers_active*)", "meta": {"from": "1m"}, "severity": "high", "tags": ["T1018", "T1482"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": ""}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": ""}]}], "version": 1, "references": ["", "", ""], "timestamp_override": "event.ingested", "author": ["Janantha Marasinghe ()"], "license": ""}
- {"description": "AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.", "enabled": false, "false_positives": ["Legitimate admin activity"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "1fb8a604-bb6a-dc8e-8028-e7a434122dce", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "AdFind Usage Detection", "query": "process.command_line.text:(*domainlist* OR *trustdmp* OR *dcmodes* OR *adinfo* OR *\\ dclist\\ * OR *computer_pwdnotreqd* OR *objectcategory\\=* OR *\\-subnets\\ \\-f* OR *name\\=\\\"Domain\\ Admins\\\"* OR *\\-sc\\ u\\:* OR *domainncs* OR *dompol* OR *\\ oudmp\\ * OR *subnetdmp* OR *gpodmp* OR *fspdmp* OR *users_noexpire* OR *computers_active* OR *computers_pwdnotreqd*)", "meta": {"from": "1m"}, "severity": "high", "tags": ["T1018", "T1069", "T1087", "T1482"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": ""}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": ""}, {"id": "T1087", "name": "Account Discovery", "reference": ""}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": ""}]}], "version": 1, "references": ["", "", "", "", ""], "timestamp_override": "event.ingested", "author": ["Janantha Marasinghe ()", "FPT.EagleEye Team", "omkar72", "oscd.community"], "license": ""}
- {"description": "Administrative shares are hidden network shares created by Microsoft\u2019s Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "1c3ed132-2282-97ed-1fe7-a78b8adbd47d", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Disable Administrative Share Creation at Startup", "query": "(winlog.event_data.EventType:\"SetValue\" AND winlog.event_data.TargetObject:HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\LanmanServer\\\\Parameters\\\\* AND winlog.event_data.TargetObject:(*AutoShareWks OR *AutoShareServer) AND winlog.event_data.Details:\"DWORD\\ \\(0x00000000\\)\")", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1070"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1070", "name": "Indicator Removal on Host", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries can abuse of C:\\Windows\\System32\\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target", "enabled": false, "false_positives": ["Administrative activity"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "25744b04-a37c-ff63-dad5-c63793a365bd", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "GatherNetworkInfo.vbs Script Usage", "query": "(process.command_line:*cscript.exe* AND process.command_line:*gatherNetworkInfo.vbs*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1059"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0002", "reference": "", "name": "Execution"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["blueteamer8699"], "license": ""}
- {"description": "Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL.", "enabled": false, "false_positives": ["Wuaueng.dll which is a module belonging to Microsoft Windows Update."], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "7386957d-1ceb-497a-1463-7daef946947a", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Monitoring Wuauclt.exe For Lolbas Execution Of DLL", "query": "((process.command_line:*wuauclt.exe* AND process.command_line:*\\/UpdateDeploymentProvider* AND process.command_line:*\\/Runhandlercomserver*) AND (NOT (process.command_line:(*wuaueng.dll* OR *UpdateDeploymentProvider.dll\\ \\/ClassId*))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1218"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1218", "name": "Signed Binary Proxy Execution", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["Sreeman"], "license": ""}
- {"description": "Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.", "enabled": false, "false_positives": ["This may have false positives on hosts where Virtualbox is legitimately being used for operations"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "09a870bb-24e6-99ae-4b64-eb57f9e3b0d2", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Detect Virtualbox Driver Installation OR Starting Of VMs", "query": "(process.command_line:(*VBoxRT.dll,RTR3Init* OR *VBoxC.dll* OR *VBoxDrv.sys*) OR process.command_line:(*startvm* OR *controlvm*))", "meta": {"from": "1m"}, "severity": "low", "tags": ["Defense Evasion", "T1564", "T1564"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": ""}, {"id": "T1564", "name": "Hide Artifacts", "reference": ""}]}], "version": 1, "references": ["", "", ""], "timestamp_override": "event.ingested", "author": ["Janantha Marasinghe"], "license": ""}
- {"description": "Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders", "enabled": false, "false_positives": ["Scripts created by developers and admins", "Administrative activity"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "542b59a0-e79d-8885-791e-825479c51a65", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious Recursif Takeown", "query": "(process.executable:*\\\\takeown.exe AND process.command_line:*\\/f\\ * AND process.command_line:*\\/r*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1222"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1222", "name": "File and Directory Permissions Modification", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.", "enabled": false, "false_positives": ["Administrative scripts (installers)"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "d5d4daa3-13b6-21fb-f095-196e821751f2", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Curl Start Combination", "query": "((process.executable:*\\\\curl.exe OR Product:\"The\\ curl\\ executable\") AND process.command_line:(*\\ start\\ * OR *&call\\ * OR *&\\ call\\ *))", "meta": {"from": "1m"}, "severity": "high", "tags": ["T1105", "T1218"], "to": "now", "type": "query", "threat": [], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["Sreeman"], "license": ""}
- {"description": "Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack", "enabled": false, "false_positives": ["System administrator Usage"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "29214a41-02eb-4068-26f6-8f882b744b23", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Cabinet File Expansion", "query": "((process.executable.text:*\\\\expand.exe AND process.command_line.text:(*.cab* OR *\\/F\\:* OR *\\-F\\:* OR *C\\:\\\\ProgramData\\\\* OR *C\\:\\\\Public\\\\* OR *\\\\AppData\\\\Local\\\\Temp\\\\* OR *\\\\AppData\\\\Roaming\\\\Temp\\\\*)) AND (NOT ((process.parent.executable.text:\"C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Dell\\\\UpdateService\\\\ServiceShell.exe\" AND process.command_line.text:*C\\:\\\\ProgramData\\\\Dell\\\\UpdateService\\\\Temp\\\\*))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1218"], "to": "now", "type": "query", "threat": [], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Bhabesh Raj"], "license": ""}
- {"description": "Adversaries may modify system firewalls in order to bypass controls limiting network usage", "enabled": false, "false_positives": ["Legitimate administration"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "65ddcdf9-54d1-d0a6-42a2-169bdc76bc7c", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Netsh Allow Group Policy on Microsoft Defender Firewall", "query": "(process.executable:*\\\\netsh.exe AND process.command_line:*advfirewall* AND process.command_line:*firewall* AND process.command_line:*set* AND process.command_line:*rule* AND process.command_line:*group\\=* AND process.command_line:*new* AND process.command_line:*enable\\=Yes*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1562"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model]()\n", "author": ["frack113"], "enabled": false, "false_positives": ["Administrator PowerShell scripts"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "9f2a5e04-f2af-c9b5-caa6-24cff46dca71", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious Download File Extension with BITS", "query": "((winlog.event_id:\"16403\" AND LocalName:(*.bat OR *.dll OR *.exe OR *.ps1 OR *.vbe OR *.vbs)) AND (NOT (LocalName:*\\\\AppData\\\\* AND RemoteName:*.com*)))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1197"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": ""}]}, {"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": ""}]}], "version": 1, "references": [""], "license": "", "timestamp_override": "event.ingested"}
- {"description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model]()\n", "author": ["Florian Roth"], "enabled": false, "false_positives": ["Administrator PowerShell scripts"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "0b26fde9-69b0-c4bf-bcc0-01cbf65676f9", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Download with BITS to Suspicious Folder", "query": "(winlog.event_id:\"16403\" AND LocalName:(*C\\:\\\\Users\\\\Public\\\\* OR *%public%* OR *\\\\Desktop\\\\* OR *C\\:\\\\PerfLogs\\\\*))", "meta": {"from": "1m"}, "severity": "high", "tags": ["Defense Evasion", "T1197"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": ""}]}, {"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": ""}]}], "version": 1, "references": [""], "license": "", "timestamp_override": "event.ingested"}
- {"description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model]()\n", "enabled": false, "false_positives": ["Administrator PowerShell scripts"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "62064ae8-cc80-285b-44cc-510422d16ad9", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Task Added by Powershell", "query": "(winlog.event_id:\"3\" AND processPath:(*\\\\powershell.exe OR *\\\\pwsh.exe))", "meta": {"from": "1m"}, "severity": "low", "tags": ["Defense Evasion", "T1197"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": ""}]}, {"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.\nWindows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model]()\n", "enabled": false, "false_positives": ["Administrator PowerShell scripts"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "fc0a88c9-bebf-78ad-0991-81cafb300c48", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Task Added by Bitsadmin", "query": "(winlog.event_id:\"3\" AND processPath:*\\\\bitsadmin.exe)", "meta": {"from": "1m"}, "severity": "low", "tags": ["Defense Evasion", "T1197"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": ""}]}, {"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1197", "name": "BITS Jobs", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "enabled": false, "false_positives": ["Legitimate PowerShell scripts"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "5fd2d4ba-29e9-03ce-2f17-c02c034e6556", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious Invoke-Item From Mount-DiskImage", "query": "(powershell.file.script_block_text:*Mount\\-DiskImage\\ * AND powershell.file.script_block_text:*\\-ImagePath\\ * AND powershell.file.script_block_text:*Get\\-Volume* AND powershell.file.script_block_text:*.DriveLetter* AND powershell.file.script_block_text:*invoke\\-item\\ * AND powershell.file.script_block_text:*\\)\\:\\\\*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1553"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.", "enabled": false, "false_positives": ["Legitimate PowerShell scripts"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "21404d48-6376-5c53-b4d0-036d4468e92a", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Mount-DiskImage", "query": "(powershell.file.script_block_text:*Mount\\-DiskImage\\ * AND powershell.file.script_block_text:*\\-ImagePath\\ *)", "meta": {"from": "1m"}, "severity": "low", "tags": ["Defense Evasion", "T1553"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in.\nWinlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete.\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "bbf180f9-cc58-d034-0800-0b68b4eff046", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Winlogon Notify Key Logon Persistence", "query": "(winlog.event_data.TargetObject:*\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\Winlogon\\\\Notify\\\\logon AND winlog.event_data.Details:*.dll AND winlog.event_data.EventType:\"SetValue\")", "meta": {"from": "1m"}, "severity": "high", "tags": ["T1547"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.\nOffice add-ins can be used to add functionality to Office programs\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "8e501198-ed35-7d73-dc6d-46ed6222c3ea", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Code Executed Via Office Add-in XLL File", "query": "(powershell.file.script_block_text:*new\\-object\\ * AND powershell.file.script_block_text:*\\-ComObject\\ * AND powershell.file.script_block_text:*.application* AND powershell.file.script_block_text:*.RegisterXLL*)", "meta": {"from": "1m"}, "severity": "high", "tags": ["T1137"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1137", "name": "Office Application Startup", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "enabled": false, "false_positives": ["Legitimate msiexec over networks"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "e80f3c4d-d9cc-fdce-d780-72b2f4c0bee7", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Msiexec Initiated Connection", "query": "(winlog.event_data.Initiated:\"true\" AND process.executable:*\\\\msiexec.exe)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1218"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1218", "name": "Signed Binary Proxy Execution", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "enabled": false, "false_positives": ["Legitimate script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "3498ba2a-d8e0-2bae-d923-c87800372b92", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious Msiexec Execute Arbitrary DLL", "query": "((process.executable.text:*\\\\msiexec.exe AND process.command_line.text:(*\\ \\/y* OR *\\ \\-y*)) AND (NOT ((process.command_line.text:(*\\\\MsiExec.exe\\\"\\ \\/Y\\ \\\"C\\:\\\\Program\\ Files\\\\Bonjour\\\\mdnsNSP.dll* OR *\\\\MsiExec.exe\\\"\\ \\/Y\\ \\\"C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Bonjour\\\\mdnsNSP.dll* OR *\\\\MsiExec.exe\\\"\\ \\/Y\\ \\\"C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Apple\\ Software\\ Update\\\\ScriptingObjectModel.dll* OR *\\\\MsiExec.exe\\\"\\ \\/Y\\ \\\"C\\:\\\\Program\\ Files\\ \\(x86\\)\\\\Apple\\ Software\\ Update\\\\SoftwareUpdateAdmin.dll* OR *\\\\MsiExec.exe\\\"\\ \\/Y\\ \\\"C\\:\\\\Windows\\\\CCM\\\\* OR *\\\\MsiExec.exe\\\"\\ \\/Y\\ C\\:\\\\Windows\\\\CCM\\\\*)))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1218"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": ""}]}], "version": 1, "references": ["", "", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.\nMsiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)\n", "enabled": false, "false_positives": ["Legitimate script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "f5ab9dd8-3500-6ac6-4561-87655dc446a0", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious Msiexec Quiet Install", "query": "(((process.executable.text:*\\\\msiexec.exe OR winlog.event_data.OriginalFileName:\"msiexec.exe\") AND process.command_line.text:(*\\/i* OR *\\-i* OR *\\/package* OR *\\-package* OR *\\/a* OR *\\-a* OR *\\/j* OR *\\-j*) AND process.command_line.text:(*\\/q* OR *\\-q*)) AND (NOT ((process.parent.executable.text:C\\:\\\\Users\\\\* AND process.parent.executable.text:*\\\\AppData\\\\Local\\\\Temp\\\\*) OR (process.parent.executable.text:C\\:\\\\Windows\\\\Temp\\\\*))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1218"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": ""}]}], "version": 1, "references": ["", "", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "ba24f92d-12c5-c703-d314-995c978c7e56", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious MsiExec Embedding Parent", "query": "((process.executable:(*\\\\powershell.exe OR *\\\\pwsh.exe OR *\\\\cmd.exe) AND process.parent.command_line:*MsiExec.exe* AND process.parent.command_line:*\\-Embedding\\ *) AND (NOT ((process.executable:*\\:\\\\Windows\\\\System32\\\\cmd.exe AND process.command_line:*C\\:\\\\Program\\ Files\\\\SplunkUniversalForwarder\\\\bin\\\\*) OR (process.command_line:*\\\\DismFoDInstall.cmd* OR process.parent.command_line:*\\\\MsiExec.exe\\ \\-Embedding\\ * AND process.parent.command_line:*Global\\\\MSI0000*))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1218"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1218", "name": "System Binary Proxy Execution", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", "enabled": false, "false_positives": ["Legitimate administrative script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "5b0098e0-76dd-3912-95fd-772b31e1a16d", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Powershell MsXml COM Object", "query": "(powershell.file.script_block_text:*New\\-Object* AND powershell.file.script_block_text:*\\-ComObject* AND powershell.file.script_block_text:*MsXml2.* AND powershell.file.script_block_text:*XmlHttp*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1059"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0002", "reference": "", "name": "Execution"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": ""}]}], "version": 1, "references": ["", "(v=vs.85)", ""], "timestamp_override": "event.ingested", "author": ["frack113", "MatilJ"], "license": ""}
- {"description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)\nAdversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code\n", "author": ["frack113"], "enabled": false, "false_positives": ["Legitimate administrative script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "364ebd9c-11d1-c4a2-d115-ffc8d1562a18", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Powershell XML Execute Command", "query": "(powershell.file.script_block_text:*New\\-Object* AND powershell.file.script_block_text:*System.Xml.XmlDocument* AND powershell.file.script_block_text:*.Load* AND powershell.file.script_block_text:(*IEX\\ * OR *Invoke\\-Expression\\ *))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1059"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0002", "reference": "", "name": "Execution"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": ""}]}], "version": 1, "references": [""], "license": "", "timestamp_override": "event.ingested"}
- {"description": "Adversaries may abuse PowerShell commands and scripts for execution.\nPowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system\n", "author": ["frack113"], "enabled": false, "false_positives": ["Legitimate administrative script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "c3f238b9-358c-e007-b717-e7e5e916878c", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "PowerShell Remote Session Creation", "query": "(powershell.file.script_block_text:*New\\-PSSession* AND powershell.file.script_block_text:*\\-ComputerName\\ *)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1059"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0002", "reference": "", "name": "Execution"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": ""}]}], "version": 1, "references": ["", ""], "license": "", "timestamp_override": "event.ingested"}
- {"description": "Adversaries may abuse the Windows command shell for execution.\nThe Windows command shell ([cmd]()) is the primary command prompt on Windows systems.\nThe Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.\nBatch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.\nCommon uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system\n", "enabled": false, "false_positives": ["Legitimate administration script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "d29b20d3-2faf-62f5-cfda-ce27b6975d34", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Powershell Execute Batch Script", "query": "(powershell.file.script_block_text:*Start\\-Process* AND powershell.file.script_block_text:(*.cmd* OR *.bat*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1059"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0002", "reference": "", "name": "Execution"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "f898db39-3c98-8c9d-c890-9a26f3ede824", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Powershell Create Scheduled Task", "query": "(powershell.file.script_block_text:(*New\\-ScheduledTaskAction* OR *New\\-ScheduledTaskTrigger* OR *New\\-ScheduledTaskPrincipal* OR *New\\-ScheduledTaskSettingsSet* OR *New\\-ScheduledTask* OR *Register\\-ScheduledTask*) OR (powershell.file.script_block_text:*Invoke\\-CimMethod* AND powershell.file.script_block_text:*\\-ClassName* AND powershell.file.script_block_text:*PS_ScheduledTask* AND powershell.file.script_block_text:*\\-NameSpace* AND powershell.file.script_block_text:*Root\\\\Microsoft\\\\Windows\\\\TaskScheduler*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1053"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1053", "name": "Scheduled Task/Job", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may abuse Visual Basic (VB) for execution", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "9220f845-2578-8cfa-e81d-1759e271398d", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Cscript Visual Basic Script Execution", "query": "(process.executable:*\\\\cscript.exe AND process.command_line:*.vbs*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1059"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0002", "reference": "", "name": "Execution"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "e2bfc722-fcb5-e4d0-d6e1-79729f76e36d", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Access to Browser Login Data", "query": "(powershell.file.script_block_text:*Copy\\-Item* AND powershell.file.script_block_text:*\\-Destination* AND powershell.file.script_block_text:(*\\\\Opera\\ Software\\\\Opera\\ Stable\\\\Login\\ Data* OR *\\\\Mozilla\\\\Firefox\\\\Profiles* OR *\\\\Microsoft\\\\Edge\\\\User\\ Data\\\\Default* OR *\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\Login\\ Data* OR *\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\Login\\ Data\\ For\\ Account*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Credential Access", "T1555"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "962ab3e9-a8e2-f0ac-f0b5-2dccbda5ff58", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Accessing Encrypted Credentials from Google Chrome Login Database", "query": "(powershell.file.script_block_text:*Copy\\-Item* AND powershell.file.script_block_text:*\\-Destination* AND powershell.file.script_block_text:(*\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\Login\\ Data* OR *\\\\Google\\\\Chrome\\\\User\\ Data\\\\Default\\\\Login\\ Data\\ For\\ Account*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Credential Access", "T1555"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser.\nWeb browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.\nWeb browsers typically store the credentials in an encrypted format within a credential store.\n", "author": ["Nasreddine Bencherchali"], "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "450a43cf-d51c-0fbc-e6dc-3a69feba4770", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Potential Browser Data Stealing", "query": "(((process.command_line.text:(*copy\\-item* OR *copy* OR *cpi\\ * OR *\\ cp\\ * OR *move* OR *move\\-item* OR *\\ mi\\ * OR *\\ mv\\ *)) OR (process.executable.text:(*\\\\xcopy.exe OR *\\\\robocopy.exe)) OR (winlog.event_data.OriginalFileName:(\"XCOPY.EXE\" OR \"robocopy.exe\"))) AND process.command_line.text:(*\\\\Opera\\ Software\\\\Opera\\ Stable\\\\* OR *\\\\Mozilla\\\\Firefox\\\\Profiles* OR *\\\\Microsoft\\\\Edge\\\\User\\ Data\\\\* OR *\\\\Google\\\\Chrome\\\\User\\ Data\\\\*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Credential Access", "T1555"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": ""}]}], "version": 1, "references": [""], "license": "", "timestamp_override": "event.ingested"}
- {"description": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information", "enabled": false, "false_positives": ["Legitimate PowerShell scripts"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "b82ac7b2-723f-acfd-abdb-734894cb1d68", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Create Volume Shadow Copy with Powershell", "query": "(powershell.file.script_block_text:*win32_shadowcopy* AND powershell.file.script_block_text:*\\).Create\\(* AND powershell.file.script_block_text:*ClientAccessible*)", "meta": {"from": "1m"}, "severity": "high", "tags": ["Credential Access", "T1003"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", "enabled": false, "false_positives": ["Legitimate administration activities"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "25fadaa8-d909-b906-52b6-e282a3bcef3c", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Detected Windows Software Discovery", "query": "(powershell.file.script_block_text:*get\\-itemProperty* AND powershell.file.script_block_text:*\\\\software\\\\* AND powershell.file.script_block_text:*select\\-object* AND powershell.file.script_block_text:*format\\-table*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1518"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1518", "name": "Software Discovery", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Nikita Nazarov", "oscd.community"], "license": ""}
- {"description": "Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.", "enabled": false, "false_positives": ["Legitimate administration activities"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "25fadaa8-d909-b906-52b6-e282a3bcef3c", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Detected Windows Software Discovery", "query": "(process.executable.text:*\\\\reg.exe AND process.command_line.text:*query* AND process.command_line.text:*\\\\software\\\\* AND process.command_line.text:*\\/v* AND process.command_line.text:*svcversion*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1518"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1518", "name": "Software Discovery", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["Nikita Nazarov", "oscd.community"], "license": ""}
- {"description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "f734d3e5-88dd-3421-26ae-622145ac2f4d", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Registry Parse with Pypykatz", "query": "(process.executable:(*\\\\pypykatz.exe OR *\\\\python.exe) AND process.command_line:*live* AND process.command_line:*registry*)", "meta": {"from": "1m"}, "severity": "high", "tags": ["Credential Access", "T1003"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "24e82b6f-857b-d090-ce87-99ce8fa63fa4", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Registry Dump of SAM Creds and Secrets", "query": "(process.command_line:*\\ save\\ * AND process.command_line:(*HKLM\\\\sam* OR *HKLM\\\\system* OR *HKLM\\\\security*))", "meta": {"from": "1m"}, "severity": "high", "tags": ["Credential Access", "T1003"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1003", "name": "OS Credential Dumping", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators. \n", "enabled": false, "false_positives": ["Administrator script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "614b9bfc-229f-77b3-af91-21cec21d8ef9", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User", "query": "((powershell.command.invocation_details:*get\\-ADPrincipalGroupMembership* OR winlog.event_data.Payload:*get\\-ADPrincipalGroupMembership*) OR ContextInfo:*get\\-ADPrincipalGroupMembership* OR ((powershell.command.invocation_details:*get\\-aduser* OR winlog.event_data.Payload:*get\\-aduser*) AND (powershell.command.invocation_details:*\\-f\\ * OR winlog.event_data.Payload:*\\-f\\ *) AND (powershell.command.invocation_details:*\\-pr\\ * OR winlog.event_data.Payload:*\\-pr\\ *) AND (powershell.command.invocation_details:*DoesNotRequirePreAuth* OR winlog.event_data.Payload:*DoesNotRequirePreAuth*)) OR (ContextInfo:*get\\-aduser* AND ContextInfo:*\\-f\\ * AND ContextInfo:*\\-pr\\ * AND ContextInfo:*DoesNotRequirePreAuth*))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1069"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to find domain-level groups and permission settings.\nThe knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as domain administrators. \n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "614b9bfc-229f-77b3-af91-21cec21d8ef9", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User", "query": "(powershell.file.script_block_text:*get\\-ADPrincipalGroupMembership* OR (powershell.file.script_block_text:*get\\-aduser* AND powershell.file.script_block_text:*\\-f\\ * AND powershell.file.script_block_text:*\\-pr\\ * AND powershell.file.script_block_text:*DoesNotRequirePreAuth*))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1069"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. \n", "enabled": false, "false_positives": ["Administrator script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "5991201f-1073-7522-9dd9-b61b0247b12d", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Get Local Groups Information", "query": "((powershell.command.invocation_details:(*get\\-localgroup* OR *Get\\-LocalGroupMember*) OR winlog.event_data.Payload:(*get\\-localgroup* OR *Get\\-LocalGroupMember*)) OR ContextInfo:(*get\\-localgroup* OR *Get\\-LocalGroupMember*) OR ((powershell.command.invocation_details:*Get\\-WMIObject* OR winlog.event_data.Payload:*Get\\-WMIObject*) AND (powershell.command.invocation_details:*Win32_Group* OR winlog.event_data.Payload:*Win32_Group*)) OR (ContextInfo:*Get\\-WMIObject* AND ContextInfo:*Win32_Group*))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1069"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "5991201f-1073-7522-9dd9-b61b0247b12d", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Get Local Groups Information", "query": "(powershell.file.script_block_text:(*get\\-localgroup* OR *Get\\-LocalGroupMember*) OR (powershell.file.script_block_text:*Get\\-WMIObject* AND powershell.file.script_block_text:*Win32_Group*))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1069"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to find local system groups and permission settings.\nThe knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.\nAdversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "ccb67c65-ca3d-c27c-8ec9-c568ac42b5ec", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Get Local Groups Information with WMIC", "query": "((process.executable:*\\\\wmic.exe OR winlog.event_data.OriginalFileName:\"wmic.exe\") AND process.command_line:*\\ group*)", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1069"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.", "enabled": false, "false_positives": ["Admin script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "832c5d81-8c93-4c17-ca92-71858a2b35c6", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Powershell Suspicious Win32_PnPEntity", "query": "powershell.file.script_block_text:*Win32_PnPEntity*", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1120"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1120", "name": "Peripheral Device Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "e1929e23-9bbb-2fa3-ef57-ec254c7d8fa2", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Use Get-NetTCPConnection", "query": "process.command_line:*Get\\-NetTCPConnection*", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1049"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "e1929e23-9bbb-2fa3-ef57-ec254c7d8fa2", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Use Get-NetTCPConnection", "query": "ContextInfo:*Get\\-NetTCPConnection*", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1049"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "39634393-d505-c3c6-503b-5a6d5a252de0", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Listing of Network Connections", "query": "(process.command_line:*netstat* OR (process.command_line:*net\\ * AND (process.command_line:(*\\ use OR *\\ sessions) OR process.command_line:(*\\ use\\ * OR *\\ sessions\\ *))))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1049"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1049", "name": "System Network Connections Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system", "enabled": false, "false_positives": ["Legitimate script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "baecbb61-5bc7-944d-6f96-418eee7b7079", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious Scan Loop Network", "query": "(process.command_line:(*for\\ * OR *foreach\\ *) AND process.command_line:(*nslookup* OR *ping*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1018", "T1059"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0002", "reference": "", "name": "Execution"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1059", "name": "Command and Scripting Interpreter", "reference": ""}]}, {"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1018", "name": "Remote System Discovery", "reference": ""}]}], "version": 1, "references": ["", "", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "enabled": false, "false_positives": ["Legitimate python script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "3b8905f7-12c4-09d8-2a18-fb757104be3b", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Python Initiated Connection", "query": "((winlog.event_data.Initiated:\"true\" AND process.executable.text:*python*) AND (NOT ((process.parent.executable.text:\"C\\:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda.exe\" AND process.command_line.text:*C\\:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\conda\\-script.py* AND process.command_line.text:*update*) OR (process.parent.executable.text:\"C\\:\\\\ProgramData\\\\Anaconda3\\\\python.exe\" AND process.command_line.text:*C\\:\\\\ProgramData\\\\Anaconda3\\\\Scripts\\\\jupyter\\-notebook\\-script.py*) OR (destination.ip:\"127.0.0.1\" AND source.ip:\"127.0.0.1\"))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1046"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1046", "name": "Network Service Discovery", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation", "enabled": false, "false_positives": ["Network administator computeur"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "88c28afd-7d85-6411-233e-7a895d5f3149", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Suspicious Nmap Execution", "query": "winlog.event_data.OriginalFileName:\"nmap.exe\"", "meta": {"from": "1m"}, "severity": "high", "tags": ["T1046"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1046", "name": "Network Service Scanning", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network", "enabled": false, "false_positives": ["Administrator, hotline ask to user"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "220ab015-b827-d529-ac6e-5b0470ed5109", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Tasklist Discovery Command", "query": "(process.command_line:*tasklist* OR process.executable:\"C\\:\\\\Windows\\\\System32\\\\tasklist.exe\")", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1057"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1057", "name": "Process Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "10e798a8-78aa-1db7-7d22-8d588133efa0", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Obfuscated Command Line Using Special Unicode Characters", "query": "process.command_line:(*\u00e2* OR *\u20ac* OR *\u00a3* OR *\u00af* OR *\u00ae* OR *\u00b5* OR *\u00b6*)", "meta": {"from": "1m"}, "severity": "high", "tags": ["Defense Evasion", "T1027"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1027", "name": "Obfuscated Files or Information", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.\nScreen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "15faa5eb-7f87-480f-319d-8514b5b53542", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Windows Screen Capture with CopyFromScreen", "query": "powershell.file.script_block_text:*.CopyFromScreen*", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1113"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0009", "reference": "", "name": "Collection"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1113", "name": "Screen Capture", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may carry out malicious operations using a virtual instance to avoid detection", "enabled": false, "false_positives": ["Legitimate PowerShell scripts"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "59bada5a-9991-a48b-b2dc-acc2018262fd", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious Hyper-V Cmdlets", "query": "powershell.file.script_block_text:(*New\\-VM* OR *Set\\-VMFirmware* OR *Start\\-VM*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1564"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1564", "name": "Hide Artifacts", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may collect data stored in the clipboard from users copying information within or between applications.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "b1efda51-13f6-24cd-4909-0b91af33c42c", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Use of CLIP", "query": "(process.executable.text:*\\\\clip.exe OR winlog.event_data.OriginalFileName:\"clip.exe\")", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1115"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0009", "reference": "", "name": "Collection"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1115", "name": "Clipboard Data", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may communicate using a protocol and port paring that are typically not associated.\nFor example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. \n", "enabled": false, "false_positives": ["Legitimate administrative script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "87b4872c-8fc3-bf3f-8727-e47adc2ac689", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Testing Usage of Uncommonly Used Port", "query": "((powershell.file.script_block_text:*Test\\-NetConnection* AND powershell.file.script_block_text:*\\-ComputerName\\ * AND powershell.file.script_block_text:*\\-port\\ *) AND (NOT (powershell.file.script_block_text:(*\\ 443\\ * OR *\\ 80\\ *))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1571"], "to": "now", "type": "query", "threat": [], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.\nCommands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.\n", "author": ["frack113"], "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "36b8f55b-5aba-4e9c-a714-0b940b765e69", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Change User Agents with WebRequest", "query": "(powershell.file.script_block_text:*Invoke\\-WebRequest* AND powershell.file.script_block_text:*\\-UserAgent\\ *)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1071"], "to": "now", "type": "query", "threat": [], "version": 1, "references": [""], "license": "", "timestamp_override": "event.ingested"}
- {"description": "Adversaries may create a domain account to maintain access to victim systems.\nDomain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..\n", "enabled": false, "false_positives": ["Legitimate administrative script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "dbf0c2d1-d13d-4ca9-0b3d-2d38eb0c9530", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Manipulation of User Computer or Group Security Principals Across AD", "query": "powershell.file.script_block_text:*System.DirectoryServices.AccountManagement*", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1136"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1136", "name": "Create Account", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may delete files left behind by the actions of their intrusion activity.\nMalware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how.\nRemoval of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint. \n", "enabled": false, "false_positives": ["Legitim script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "20af28b1-cf6e-93a7-351c-f5250d9c52f4", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Windows Cmd Delete File", "query": "((process.command_line:*del\\ * AND process.command_line:*\\/f*) OR (process.command_line:*rmdir* AND process.command_line:*\\/s* AND process.command_line:*\\/q*))", "meta": {"from": "1m"}, "severity": "low", "tags": ["Defense Evasion", "T1070"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1070", "name": "Indicator Removal on Host", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.", "enabled": false, "false_positives": ["Legitime usage"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "595fc19d-de23-4068-4ec1-da74654e6a86", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Deletes Backup Files", "query": "(process.executable:*\\\\cmd.exe AND file.path:(*.VHD OR *.bac OR *.bak OR *.wbcat OR *.bkf OR *.set OR *.win OR *.dsk))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1490"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0034", "reference": "", "name": "Impact"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1490", "name": "Inhibit System Recovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.\nData destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "fc6438f3-cf73-e73b-e945-e650035020fa", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Overwrite Deleted Data with Cipher", "query": "(process.executable:*\\\\cipher.exe AND process.command_line:*\\ \\/w\\:*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1485"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0034", "reference": "", "name": "Impact"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1485", "name": "Data Destruction", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "cbd2cfcd-87bd-8bbe-06a7-d15e27c00182", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Disable Microsoft Defender Firewall via Registry", "query": "(winlog.event_data.EventType:\"SetValue\" AND winlog.event_data.TargetObject:HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\* AND winlog.event_data.TargetObject:*\\\\EnableFirewall AND winlog.event_data.Details:\"DWORD\\ \\(0x00000000\\)\")", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1562"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "3f82bc59-4bfb-e3b6-d940-3e7a41f327e1", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Remove Windows Defender Definition Files", "query": "(winlog.event_data.OriginalFileName:\"MpCmdRun.exe\" AND process.command_line.text:*\\ \\-RemoveDefinitions* AND process.command_line.text:*\\ \\-All*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1562"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon", "enabled": false, "false_positives": ["Uninstall by admin"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "89266508-1c44-23bf-13bb-a3fa72ed6ccf", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Uninstall Crowdstrike Falcon", "query": "(process.command_line.text:*\\\\WindowsSensor.exe* AND process.command_line.text:*\\ \\/uninstall* AND process.command_line.text:*\\ \\/quiet*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1562"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1562", "name": "Impair Defenses", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.", "enabled": false, "false_positives": ["Legitimate administrative script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "c9ab0dd1-16f3-62d4-8ef0-93e93eed5c4a", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious SSL Connection", "query": "(powershell.file.script_block_text:*System.Net.Security.SslStream* AND powershell.file.script_block_text:*Net.Security.RemoteCertificateValidationCallback* AND powershell.file.script_block_text:*.AuthenticateAsClient*)", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1573"], "to": "now", "type": "query", "threat": [], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "32aceca4-af21-e4d5-f5a5-1009357cbc33", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Powershell Detect Virtualization Environment", "query": "(powershell.file.script_block_text:(*Get\\-WmiObject* OR *gwmi*) AND powershell.file.script_block_text:(*MSAcpi_ThermalZoneTemperature* OR *Win32_ComputerSystem*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1497"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1497", "name": "Virtualization/Sandbox Evasion", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113", "Duc.Le-GTSC"], "license": ""}
- {"description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "859f1e90-0deb-1c4c-6095-f8c271fb5383", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Automated Collection Bookmarks Using Get-ChildItem PowerShell", "query": "(powershell.file.script_block_text:*Get\\-ChildItem* AND powershell.file.script_block_text:*\\ \\-Recurse\\ * AND powershell.file.script_block_text:*\\ \\-Path\\ * AND powershell.file.script_block_text:*\\ \\-Filter\\ Bookmarks* AND powershell.file.script_block_text:*\\ \\-ErrorAction\\ SilentlyContinue* AND powershell.file.script_block_text:*\\ \\-Force*)", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1217"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1217", "name": "Browser Bookmark Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may enumerate browser bookmarks to learn more about compromised hosts.\nBrowser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about\ninternal network resources such as servers, tools/dashboards, or other related infrastructure.\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "767961d3-8b37-93e7-9852-de320993705e", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Where Execution", "query": "((process.executable:*\\\\where.exe OR winlog.event_data.OriginalFileName:\"where.exe\") AND process.command_line:(*places.sqlite* OR *cookies.sqlite* OR *formhistory.sqlite* OR *logins.json* OR *key4.db* OR *key3.db* OR *sessionstore.jsonlz4* OR *History* OR *Bookmarks* OR *Cookies* OR *Login\\ Data*))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1217"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1217", "name": "Browser Bookmark Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113", "Nasreddine Bencherchali"], "license": ""}
- {"description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nAdversaries may use the information from [File and Directory Discovery]() during automated discovery to shape follow-on behaviors,\nincluding whether or not the adversary fully infects the target and/or attempts specific actions. \n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "1488245d-b6d6-f480-b54e-154a1dedd8a0", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Powershell File and Directory Discovery", "query": "(powershell.file.script_block_text:(*ls* OR *get\\-childitem* OR *gci*) AND powershell.file.script_block_text:*\\-recurse*)", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1083"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1083", "name": "File and Directory Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "ad05d936-ddac-1aa7-db58-45ed525b4f8c", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Powershell WMI Persistence", "query": "(powershell.file.script_block_text:*New\\-CimInstance\\ * AND powershell.file.script_block_text:*\\-Namespace\\ root\\/subscription\\ * AND powershell.file.script_block_text:*\\-Property\\ * AND (powershell.file.script_block_text:*\\-ClassName\\ __EventFilter\\ * OR powershell.file.script_block_text:*\\-ClassName\\ CommandLineEventConsumer\\ *))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Privilege Escalation", "T1546"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0004", "reference": "", "name": "Privilege Escalation"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "9078ec28-ee5e-de72-a5c1-8f4000748e5c", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "New Shim Database Created in the Default Directory", "query": "(file.path:*.sdb AND file.path:*\\\\Windows\\\\apppatch\\\\Custom\\\\*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1547"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", "author": ["frack113"], "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "b55589e3-453a-3586-b9b9-25ac16df9843", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Potential Persistence Via Shim Database Modification", "query": "((winlog.event_data.TargetObject:(HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\* OR HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*) AND winlog.event_data.EventType:\"SetValue\") AND (NOT winlog.event_data.Details:\"\"))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1546"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": ""}]}], "version": 1, "references": ["", ""], "license": "", "timestamp_override": "event.ingested"}
- {"description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.\nThe Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "33fb96b2-74bd-3ae5-7524-8ca71b9494b6", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Registry Key Creation or Modification for Shim DataBase", "query": "((winlog.event_data.TargetObject:(HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\AppCompatFlags\\\\InstalledSDB\\\\* OR HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\ NT\\\\CurrentVersion\\\\AppCompatFlags\\\\Custom\\\\*) AND winlog.event_data.EventType:\"SetValue\") AND (NOT (winlog.event_data.Details:\"\")))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1546"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "f690f572-accb-5b36-73c4-ed5f19dce195", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious Screensaver Binary File Creation", "query": "(file.path.text:*.scr AND (NOT ((process.executable.text:(*\\\\Kindle.exe OR *\\\\Bin\\\\ccSvcHst.exe)) OR (process.executable.text:*\\\\TiWorker.exe AND file.path.text:*\\\\uwfservicingscr.scr))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1546"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may establish persistence by executing malicious content triggered by user inactivity.\nScreensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension\n", "enabled": false, "false_positives": ["GPO"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "bcfc4586-0aa5-336b-4d6d-17d5acbf9fae", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious ScreenSave Change by Reg.exe", "query": "(process.executable:*\\\\reg.exe AND process.command_line:(*HKEY_CURRENT_USER\\\\Control\\ Panel\\\\Desktop* OR *HKCU\\\\Control\\ Panel\\\\Desktop*) AND process.command_line:*\\/t\\ REG_SZ* AND process.command_line:*\\/f* AND ((process.command_line:*\\/v\\ ScreenSaveActive* AND process.command_line:*\\/d\\ 1*) OR (process.command_line:*\\/v\\ ScreenSaveTimeout* AND process.command_line:*\\/d\\ *) OR (process.command_line:*\\/v\\ ScreenSaverIsSecure* AND process.command_line:*\\/d\\ 0*) OR (process.command_line:*\\/v\\ SCRNSAVE.EXE* AND process.command_line:*\\/d\\ * AND process.command_line:*.scr*)))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Privilege Escalation", "T1546"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0004", "reference": "", "name": "Privilege Escalation"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", "enabled": false, "false_positives": ["Legitimate administrative script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "b23102ae-c723-97c4-b9b6-cbcd80d02c7c", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Service Registry Permissions Weakness Check", "query": "(powershell.file.script_block_text:*get\\-acl* AND powershell.file.script_block_text:*REGISTRY\\:\\:HKLM\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1574"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.\nAdversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.\nWindows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Services\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "48cef6d3-b0f1-b6c0-a740-49d6f79925c1", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Service ImagePath Change with Reg.exe", "query": "(process.executable:*\\\\reg.exe AND process.command_line:*add\\ * AND process.command_line:*SYSTEM\\\\CurrentControlSet\\\\Services\\\\* AND process.command_line:*\\ ImagePath\\ * AND process.command_line:(*\\ \\/d\\ * OR *\\ \\-d\\ *))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1574"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.\nAdversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. \n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "12aa4345-6cfc-9ad8-7eb9-546c8399289b", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Creation Exe for Service with Unquoted Path", "query": "file.path:\"C\\:\\\\program.exe\"", "meta": {"from": "1m"}, "severity": "high", "tags": ["T1547"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "5dab3030-47ed-0309-9f27-c492d224c564", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Powershell Trigger Profiles by Add_Content", "query": "(powershell.file.script_block_text:*Add\\-Content* AND powershell.file.script_block_text:*$profile* AND powershell.file.script_block_text:*\\-Value* AND powershell.file.script_block_text:(*Start\\-Process* OR *\\\"\\\"*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Privilege Escalation", "T1546"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0004", "reference": "", "name": "Privilege Escalation"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1546", "name": "Event Triggered Execution", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "author": ["Nasreddine Bencherchali"], "enabled": false, "false_positives": ["Unlikely"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "b29d45fa-1bc3-690d-0d90-8a55aec7ca86", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Root Certificate Installed From Susp Locations", "query": "(process.command_line.text:*Import\\-Certificate* AND process.command_line.text:*\\ \\-File\\-Path\\ * AND process.command_line.text:*Cert\\:\\\\LocalMachine\\\\Root* AND process.command_line.text:(*\\\\AppData\\\\Local\\\\Temp\\\\* OR *\\:\\\\Windows\\\\TEMP\\\\* OR *\\\\Desktop\\\\* OR *\\\\Downloads\\\\* OR *\\\\Perflogs\\\\* OR *\\:\\\\Users\\\\Public\\\\*))", "meta": {"from": "1m"}, "severity": "high", "tags": ["Defense Evasion", "T1553"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK", "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": ""}]}], "version": 1, "references": ["", ""], "license": "", "timestamp_override": "event.ingested"}
- {"description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "enabled": false, "false_positives": ["Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "3048173d-74b6-88a2-f9d5-cd2f02cc0fd6", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Root Certificate Installed", "query": "(powershell.file.script_block_text:*Cert\\:\\\\LocalMachine\\\\Root* AND (powershell.file.script_block_text:*Move\\-Item* OR powershell.file.script_block_text:*Import\\-Certificate*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1553"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["oscd.community", "@redcanary", "Zach Stanford @svch0st"], "license": ""}
- {"description": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.", "enabled": false, "false_positives": ["Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "3048173d-74b6-88a2-f9d5-cd2f02cc0fd6", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Root Certificate Installed", "query": "(process.command_line.text:*root* AND ((process.executable.text:*\\\\certutil.exe AND process.command_line.text:*\\-addstore*) OR (process.executable.text:*\\\\CertMgr.exe AND process.command_line.text:*\\/add*)))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1553"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1553", "name": "Subvert Trust Controls", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["oscd.community", "@redcanary", "Zach Stanford @svch0st"], "license": ""}
- {"description": "Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "b80cd08b-bceb-26dd-5593-8d4077981a90", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Query Registry", "query": "(process.executable.text:*\\\\reg.exe AND process.command_line.text:(*query* OR *save* OR *export*) AND process.command_line.text:(*currentVersion\\\\windows* OR *winlogon\\\\* OR *currentVersion\\\\shellServiceObjectDelayLoad* OR *currentVersion\\\\run* OR *currentVersion\\\\policies\\\\explorer\\\\run* OR *currentcontrolset\\\\services*))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1007", "T1012"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1007", "name": "System Service Discovery", "reference": ""}, {"id": "T1012", "name": "Query Registry", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["Timur Zinniatullin", "oscd.community"], "license": ""}
- {"description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.\nAccounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. \n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "1873ea3c-f1e2-1a54-d302-7a7a3f7d007f", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Remove Account From Domain Admin Group", "query": "(powershell.file.script_block_text:*Remove\\-ADGroupMember* AND powershell.file.script_block_text:*\\-Identity\\ * AND powershell.file.script_block_text:*\\-Members\\ *)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1531"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0034", "reference": "", "name": "Impact"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1531", "name": "Account Access Removal", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.\nThe COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).\nThese profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.\n(Citation: Microsoft Profiling Mar 2017)\n(Citation: Microsoft COR_PROFILER Feb 2013) \n", "enabled": false, "false_positives": ["Legitimate administrative script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "7c278530-a9ac-cf21-7c9c-b2e52d3de801", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Registry-Free Process Scope COR_PROFILER", "query": "(powershell.file.script_block_text:*$env\\:COR_ENABLE_PROFILING* AND powershell.file.script_block_text:*$env\\:COR_PROFILER* AND powershell.file.script_block_text:*$env\\:COR_PROFILER_PATH*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1574"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1574", "name": "Hijack Execution Flow", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may log user keystrokes to intercept credentials as the user types them.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "97764933-c6f2-139c-92b5-3435a85503c6", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Powershell Keylogging", "query": "(powershell.file.script_block_text:*Get\\-Keystrokes* OR (powershell.file.script_block_text:*Get\\-ProcAddress\\ user32.dll\\ GetAsyncKeyState* AND powershell.file.script_block_text:*Get\\-ProcAddress\\ user32.dll\\ GetForegroundWindow*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1056"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0009", "reference": "", "name": "Collection"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1056", "name": "Input Capture", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "enabled": false, "false_positives": ["Administrative activity"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "cde5f211-0c9c-0b9e-8e6e-453208434115", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Netsh Discovery Command", "query": "(process.command_line:*netsh\\ * AND process.command_line:*show\\ * AND process.command_line:*firewall\\ * AND process.command_line:(*config\\ * OR *state\\ * OR *rule\\ * OR *name\\=all*))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1016"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113", "Christopher Peacock '@securepeacock'", "SCYTHE '@scythe_io'"], "license": ""}
- {"description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "enabled": false, "false_positives": ["Administrator, hotline ask to user"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "40c8941d-3d3d-9cd7-8737-ade72b777496", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Network Command", "query": "process.command_line:(*ipconfig\\ \\/all* OR *netsh\\ interface\\ show\\ interface* OR *arp\\ \\-a* OR *nbtstat\\ \\-n* OR *net\\ config* OR *route\\ print*)", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1016"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1016", "name": "System Network Configuration Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113", "Christopher Peacock '@securepeacock'", "SCYTHE '@scythe_io'"], "license": ""}
- {"description": "Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "3bbeb74c-35ca-5505-5863-f4ea2abb9057", "language": "lucene", "max_signals": 100, "risk_score": 65, "name": "Suspicious Execution of SharpView Aka PowerView", "query": "(winlog.event_data.OriginalFileName:\"SharpView.exe\" OR process.executable.text:*\\\\SharpView.exe OR process.command_line.text:(*Get\\-DomainGPOUserLocalGroupMapping* OR *Find\\-GPOLocation* OR *Get\\-DomainGPOComputerLocalGroupMapping* OR *Find\\-GPOComputerAdmin* OR *Get\\-DomainObjectAcl* OR *Add\\-DomainObjectAcl* OR *Add\\-ObjectAcl* OR *Remove\\-DomainObjectAcl* OR *Get\\-RegLoggedOn* OR *Get\\-LoggedOnLocal* OR *Get\\-NetRDPSession* OR *Test\\-AdminAccess* OR *Invoke\\-CheckLocalAdminAccess* OR *Get\\-WMIProcess* OR *Get\\-NetProcess* OR *Get\\-WMIRegProxy* OR *Get\\-WMIRegLastLoggedOn* OR *Get\\-LastLoggedOn* OR *Get\\-WMIRegCachedRDPConnection* OR *Get\\-CachedRDPConnection* OR *Get\\-WMIRegMountedDrive* OR *Get\\-RegistryMountedDrive* OR *Find\\-InterestingDomainAcl* OR *Invoke\\-ACLScanner* OR *Get\\-NetShare* OR *Get\\-NetLoggedon* OR *Get\\-NetLocalGroup* OR *Get\\-NetLocalGroupMember* OR *Get\\-NetSession* OR *Get\\-PathAcl* OR *ConvertFrom\\-UACValue* OR *Get\\-PrincipalContext* OR *New\\-DomainGroup* OR *New\\-DomainUser* OR *Add\\-DomainGroupMember* OR *Set\\-DomainUserPassword* OR *Invoke\\-Kerberoast* OR *Export\\-PowerViewCSV* OR *Find\\-LocalAdminAccess* OR *Find\\-DomainLocalGroupMember* OR *Find\\-DomainShare* OR *Find\\-DomainUserEvent* OR *Find\\-DomainProcess* OR *Find\\-DomainUserLocation* OR *Find\\-InterestingFile* OR *Find\\-InterestingDomainShareFile* OR *Find\\-DomainObjectPropertyOutlier* OR *Get\\-NetDomain* OR *Get\\-DomainComputer* OR *Get\\-NetComputer* OR *Get\\-DomainController* OR *Get\\-NetDomainController* OR *Get\\-DomainFileServer* OR *Get\\-NetFileServer* OR *Convert\\-ADName* OR *Get\\-DomainObject* OR *Get\\-ADObject* OR *Get\\-DomainUser* OR *Get\\-NetUser* OR *Get\\-DomainGroup* OR *Get\\-DomainDFSShare* OR *Get\\-DFSshare* OR *Get\\-DomainDNSRecord* OR *Get\\-DomainForeignGroupMember* OR *Find\\-ForeignGroup* OR *Get\\-DomainForeignUser* OR *Find\\-ForeignUser* OR *ConvertFrom\\-SID* OR *Convert\\-SidToName* OR *Get\\-DomainGroupMember* OR *Get\\-NetGroupMember* OR *Get\\-DomainManagedSecurityGroup* OR *Find\\-ManagedSecurityGroups* OR *Get\\-DomainOU* OR *Get\\-NetOU* OR *Get\\-DomainSID* OR *Get\\-NetForest* OR *Get\\-ForestTrust* OR *Get\\-NetForestTrust* OR *Get\\-DomainTrust* OR *Get\\-NetDomainTrust* OR *Get\\-ForestDomain* OR *Get\\-NetForestDomain* OR *Get\\-DomainSite* OR *Get\\-NetSite* OR *Get\\-DomainSubnet* OR *Get\\-NetSubnet* OR *Get\\-DomainTrustMapping* OR *Invoke\\-MapDomainTrust* OR *Get\\-ForestGlobalCatalog* OR *Get\\-NetForestCatalog* OR *Get\\-DomainUserEvent* OR *Get\\-DomainGUIDMap* OR *Resolve\\-IPAddress* OR *ConvertTo\\-SID* OR *Invoke\\-UserImpersonation* OR *Get\\-DomainSPNTicket* OR *Request\\-SPNTicket* OR *Get\\-NetComputerSiteName* OR *Get\\-DomainGPO* OR *Get\\-NetGPO* OR *Set\\-DomainObject* OR *Add\\-RemoteConnection* OR *Remove\\-RemoteConnection* OR *Get\\-GptTmpl* OR *Get\\-GroupsXML* OR *Get\\-DomainPolicyData* OR *Get\\-DomainPolicy* OR *Get\\-DomainGPOLocalGroup* OR *Get\\-NetGPOGroup* OR *Invoke\\-Sharefinder*))", "meta": {"from": "1m"}, "severity": "high", "tags": ["T1033", "T1049", "T1069", "T1135", "T1482"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1033", "name": "System Owner/User Discovery", "reference": ""}, {"id": "T1049", "name": "System Network Connections Discovery", "reference": ""}, {"id": "T1069", "name": "Permission Groups Discovery", "reference": ""}, {"id": "T1135", "name": "Network Share Discovery", "reference": ""}, {"id": "T1482", "name": "Domain Trust Discovery", "reference": ""}]}], "version": 1, "references": ["", "", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n", "enabled": false, "false_positives": ["Administrator script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "1a3b3d94-f8be-8f9c-fdfc-7c3d2470ef7d", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Get Information for SMB Share", "query": "(powershell.command.invocation_details:*get\\-smbshare* OR winlog.event_data.Payload:*get\\-smbshare* OR ContextInfo:*get\\-smbshare*)", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1069"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and\nto identify potential systems of interest for Lateral Movement.\nNetworks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "1a3b3d94-f8be-8f9c-fdfc-7c3d2470ef7d", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Get Information for SMB Share", "query": "powershell.file.script_block_text:*get\\-smbshare*", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1069"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0007", "reference": "", "name": "Discovery"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1069", "name": "Permission Groups Discovery", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may manipulate accounts to maintain access to victim systems.\nAccount manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups\n", "enabled": false, "false_positives": ["Legitimate administrative script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "3c9ea10e-6f3d-9a12-b896-baf5ee23b1d3", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Powershell LocalAccount Manipulation", "query": "powershell.file.script_block_text:(*Disable\\-LocalUser* OR *Enable\\-LocalUser* OR *Get\\-LocalUser* OR *Set\\-LocalUser* OR *New\\-LocalUser* OR *Rename\\-LocalUser* OR *Remove\\-LocalUser*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1098"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0003", "reference": "", "name": "Persistence"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1098", "name": "Account Manipulation", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.", "enabled": false, "false_positives": ["Legitimeate admin script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "027e7412-5509-3ee3-e86f-170d6d8cd5ca", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Powershell Timestomp", "query": "powershell.file.script_block_text:(*.CreationTime\\ \\=* OR *.LastWriteTime\\ \\=* OR *.LastAccessTime\\ \\=* OR *\\[IO.File\\]\\:\\:SetCreationTime* OR *\\[IO.File\\]\\:\\:SetLastAccessTime* OR *\\[IO.File\\]\\:\\:SetLastWriteTime*)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Defense Evasion", "T1070"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0005", "reference": "", "name": "Defense Evasion"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1070", "name": "Indicator Removal on Host", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "9b4ce6ec-1b19-43ef-45b3-280d396add8d", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Dump Credentials from Windows Credential Manager With PowerShell", "query": "(powershell.file.script_block_text:(*Get\\-PasswordVaultCredentials* OR *Get\\-CredManCreds*) OR (powershell.file.script_block_text:*New\\-Object* AND powershell.file.script_block_text:*Windows.Security.Credentials.PasswordVault*) OR (powershell.file.script_block_text:*New\\-Object* AND powershell.file.script_block_text:*Microsoft.CSharp.CSharpCodeProvider* AND powershell.file.script_block_text:*\\[System.Runtime.InteropServices.RuntimeEnvironment\\]\\:\\:GetRuntimeDirectory\\(\\)\\)* AND powershell.file.script_block_text:*Collections.ArrayList* AND powershell.file.script_block_text:*System.CodeDom.Compiler.CompilerParameters*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Credential Access", "T1555"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may search for common password storage locations to obtain user credentials.\nPasswords are stored in several places on a system, depending on the operating system or application holding the credentials.\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "e19a5134-7382-970c-e226-0ff8bece12b3", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Enumerate Credentials from Windows Credential Manager With PowerShell", "query": "(powershell.file.script_block_text:*vaultcmd* AND powershell.file.script_block_text:*\\/listcreds\\:* AND powershell.file.script_block_text:(*Windows\\ Credentials* OR *Web\\ Credentials*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Credential Access", "T1555"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1555", "name": "Credentials from Password Stores", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credential", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "b0a533fe-7690-3418-bbd9-f40d44a9d7ba", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Discover Private Keys", "query": "(process.command_line.text:(*dir\\ * OR *findstr\\ *) AND process.command_line.text:(*.key* OR *.pgp* OR *.gpg* OR *.ppk* OR *.p12* OR *.pem* OR *.pfx* OR *.cer* OR *.p7b* OR *.asc*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Credential Access", "T1552"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.\nThese can be files created by users to store their own credentials, shared credential stores for a group of individuals,\nconfiguration files containing passwords for a system or service, or source code/binary files containing embedded passwords.\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "f8c6cfba-671d-dfc9-5cc8-ffaed52dc87a", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Extracting Information with PowerShell", "query": "(powershell.file.script_block_text:*ls* AND powershell.file.script_block_text:*\\ \\-R* AND powershell.file.script_block_text:*select\\-string\\ * AND powershell.file.script_block_text:*\\-Pattern\\ *)", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Credential Access", "T1552"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may search the Registry on compromised systems for insecurely stored credentials.\nThe Windows Registry stores configuration information that can be used by the system or other programs.\nAdversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services\n", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "399860d9-1fa1-ab3d-321a-8aef632619d0", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Enumeration for Credentials in Registry", "query": "((process.executable:*\\\\reg.exe AND process.command_line:*\\ query\\ * AND process.command_line:*\\/t\\ * AND process.command_line:*REG_SZ* AND process.command_line:*\\/s*) AND ((process.command_line:*\\/f\\ * AND process.command_line:*HKLM*) OR (process.command_line:*\\/f\\ * AND process.command_line:*HKCU*) OR process.command_line:*HKCU\\\\Software\\\\SimonTatham\\\\PuTTY\\\\Sessions*))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["Credential Access", "T1552"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0006", "reference": "", "name": "Credential Access"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1552", "name": "Unsecured Credentials", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", "enabled": false, "false_positives": ["Legitimate administrative activity"], "filters": [], "from": "now-360s", "immutable": false, "index": ["apm-*-transaction", "auditbeat-*", "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*", "logs-*"], "interval": "5m", "rule_id": "5f65b700-fd8b-9ba4-b0fb-91041cf44fe8", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "System Shutdown/Reboot", "query": "(type:\"EXECVE\" AND ((*shutdown* OR *reboot* OR *halt* OR *poweroff*) OR ((*init* OR *telinit*) AND (*0* OR *6*))))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1529"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0034", "reference": "", "name": "Impact"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1529", "name": "System Shutdown/Reboot", "reference": ""}]}], "version": 1, "references": ["hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"], "timestamp_override": "event.ingested", "author": ["Igor Fits", "oscd.community"], "license": ""}
- {"description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.", "enabled": false, "false_positives": ["Legitimate administrative activity"], "filters": [], "from": "now-360s", "immutable": false, "index": ["apm-*-transaction", "auditbeat-*", "endgame-*", "filebeat-*", "packetbeat-*", "winlogbeat-*", "logs-*"], "interval": "5m", "rule_id": "5f65b700-fd8b-9ba4-b0fb-91041cf44fe8", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "System Shutdown/Reboot", "query": "process.executable:(*\\/shutdown OR *\\/reboot OR *\\/halt)", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1529"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0034", "reference": "", "name": "Impact"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1529", "name": "System Shutdown/Reboot", "reference": ""}]}], "version": 1, "references": ["hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"], "timestamp_override": "event.ingested", "author": ["Igor Fits", "Mikhail Larin", "oscd.community"], "license": ""}
- {"description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", "enabled": false, "false_positives": ["Other SMTP tools"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "eff2a697-07ce-8ab8-4351-29dbe0eb32dc", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Suspicious Outbound SMTP Connections", "query": "((destination.port:(\"25\" OR \"587\" OR \"465\" OR \"2525\") AND winlog.event_data.Initiated:\"true\") AND (NOT ((process.executable.text:(*\\\\thunderbird.exe OR *\\\\outlook.exe)) OR (process.executable.text:C\\:\\\\Program\\ Files\\\\Microsoft\\\\Exchange\\ Server\\\\*) OR (process.executable.text:C\\:\\\\Program\\ Files\\\\WindowsApps\\\\microsoft.windowscommunicationsapps_* AND process.executable.text:*\\\\HxTsr.exe))))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1048"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0010", "reference": "", "name": "Exfiltration"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": ""}]}], "version": 1, "references": ["", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.\nThe data may also be sent to an alternate network location from the main command and control server.\n", "enabled": false, "false_positives": ["Legitimate script"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "68498627-9742-9a1d-e69a-a5bfbeebc083", "language": "lucene", "max_signals": 100, "risk_score": 35, "name": "Powershell Exfiltration Over SMTP", "query": "(powershell.file.script_block_text:*Send\\-MailMessage* AND (NOT (powershell.file.script_block_text:*CmdletsToExport*)))", "meta": {"from": "1m"}, "severity": "medium", "tags": ["T1048"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0010", "reference": "", "name": "Exfiltration"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1048", "name": "Exfiltration Over Alternative Protocol", "reference": ""}]}], "version": 1, "references": ["", "", ""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}
- {"description": "Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange and SQL Server.", "enabled": false, "false_positives": ["Unknown"], "filters": [], "from": "now-360s", "immutable": false, "index": ["winlogbeat-*"], "interval": "5m", "rule_id": "8b7f55ff-f1c9-15ed-e8b9-01d251fe0c3c", "language": "lucene", "max_signals": 100, "risk_score": 5, "name": "Suspicious Execution of Taskkill", "query": "((process.executable:*\\\\taskkill.exe OR winlog.event_data.OriginalFileName:\"taskkill.exe\") AND (process.command_line:*\\ \\/f* AND process.command_line:*\\ \\/im\\ *))", "meta": {"from": "1m"}, "severity": "low", "tags": ["T1489"], "to": "now", "type": "query", "threat": [{"tactic": {"id": "TA0034", "reference": "", "name": "Impact"}, "framework": "MITRE ATT&CK\u00ae", "technique": [{"id": "T1489", "name": "Service Stop", "reference": ""}]}], "version": 1, "references": [""], "timestamp_override": "event.ingested", "author": ["frack113"], "license": ""}